[gnumeric] xls: fix fuzzed pivot reading.
- From: Morten Welinder <mortenw src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gnumeric] xls: fix fuzzed pivot reading.
- Date: Tue, 12 May 2015 01:13:56 +0000 (UTC)
commit 9cbad3ce952659bc395b874f4fc9420885eb219b
Author: Morten Welinder <terra gnome org>
Date: Mon May 11 21:12:23 2015 -0400
xls: fix fuzzed pivot reading.
ChangeLog | 3 +++
NEWS | 2 +-
plugins/excel/ChangeLog | 5 +++++
plugins/excel/xls-read-pivot.c | 10 +++++-----
src/go-data-cache.c | 30 ++++++++++++++++++------------
5 files changed, 32 insertions(+), 18 deletions(-)
---
diff --git a/ChangeLog b/ChangeLog
index 243eb33..dc6e86f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
2015-05-11 Morten Welinder <terra gnome org>
+ * src/go-data-cache.c (go_data_cache_set_val): Use memcpy for
+ inline values.
+
* src/cell.c (gnm_cell_set_array): Improve preconditions.
2015-05-09 Morten Welinder <terra gnome org>
diff --git a/NEWS b/NEWS
index 78bc63d..3daeb7c 100644
--- a/NEWS
+++ b/NEWS
@@ -16,7 +16,7 @@ Morten:
* Plug leaks.
* Fuzzed file fixes. [#748595] [#748597] [#749031] [#749030]
[#749069] [#748533] [#749118] [#749166] [#749181] [#749184]
- [#749236] [#749240]
+ [#749236] [#749240] [#749234]
* Make solver check linearity of model.
* Fix xls saving of marker style. [#749185]
diff --git a/plugins/excel/ChangeLog b/plugins/excel/ChangeLog
index 7b80f80..d0edf4a 100644
--- a/plugins/excel/ChangeLog
+++ b/plugins/excel/ChangeLog
@@ -1,3 +1,8 @@
+2015-05-11 Morten Welinder <terra gnome org>
+
+ * xls-read-pivot.c (xls_read_pivot_cache_values): Set the right
+ size on error.
+
2015-05-10 Morten Welinder <terra gnome org>
* ms-excel-read.c (excel_read_CONDFMT): Plug leaks.
diff --git a/plugins/excel/xls-read-pivot.c b/plugins/excel/xls-read-pivot.c
index 2f86f0f..e9480ba 100644
--- a/plugins/excel/xls-read-pivot.c
+++ b/plugins/excel/xls-read-pivot.c
@@ -177,17 +177,17 @@ xls_read_pivot_cache_values (XLSReadPivot *s, BiffQuery *q, unsigned int n, cons
{
/* TODO : go_val_array_sized_new */
GPtrArray *res = g_ptr_array_sized_new (n);
- GnmValue *v;
unsigned int i;
d (1, g_printerr ("/* %u %s items */ ;\n", n, type););
for (i = 0 ; i < n ; i++) {
- if (NULL == (v = xls_read_pivot_cache_value (s, q))) {
- /* TODO : go_val_array_set_size */
- g_ptr_array_set_size (res, i);
+ GnmValue *v = xls_read_pivot_cache_value (s, q);
+ if (!v) {
+ /* TODO : go_val_array_set_size */
+ g_ptr_array_set_size (res, n);
return res;
}
- /* TODO : go_val_array_add */
+ /* TODO : go_val_array_add */
g_ptr_array_add (res, v);
}
return res;
diff --git a/src/go-data-cache.c b/src/go-data-cache.c
index ae9b0e4..2b7f6d1 100644
--- a/src/go-data-cache.c
+++ b/src/go-data-cache.c
@@ -100,18 +100,18 @@ static void
go_data_cache_finalize (GObject *obj)
{
GODataCache *cache = (GODataCache *)obj;
- unsigned int i, j;
+ unsigned i;
if (NULL != cache->records) {
- GODataCacheField const *f;
- gpointer p;
-
for (i = cache->fields->len ; i-- > 0 ; ) {
- f = g_ptr_array_index (cache->fields, i);
+ GODataCacheField const *f = g_ptr_array_index (cache->fields, i);
if (GO_DATA_CACHE_FIELD_TYPE_INLINE == f->ref_type) {
+ unsigned j;
for (j = cache->records_len ; j-- > 0 ; ) {
- p = go_data_cache_records_index (cache, j) + f->offset;
- go_val_free (*((GOVal **)p));
+ GOVal *v;
+ gpointer p = go_data_cache_records_index (cache, j) + f->offset;
+ memcpy (&v, p, sizeof (v));
+ go_val_free (v);
}
}
}
@@ -338,7 +338,9 @@ go_data_cache_set_val (GODataCache *cache,
f->indx, f->name->str);
return;
- case GO_DATA_CACHE_FIELD_TYPE_INLINE : *((GOVal **)p) = v; return;
+ case GO_DATA_CACHE_FIELD_TYPE_INLINE:
+ memcpy (p, &v, sizeof (v));
+ return;
case GO_DATA_CACHE_FIELD_TYPE_INDEXED_I8 : *((guint8 *)p) = 0; break;
case GO_DATA_CACHE_FIELD_TYPE_INDEXED_I16 : *((guint16 *)p) = 0; break;
@@ -378,7 +380,11 @@ go_data_cache_set_index (GODataCache *cache,
g_warning ("attempt to get value from grouped/calculated field #%d : '%s'",
f->indx, f->name->str);
return;
- case GO_DATA_CACHE_FIELD_TYPE_INLINE : *((GOVal **)p) = go_val_new_empty (); break;
+ case GO_DATA_CACHE_FIELD_TYPE_INLINE: {
+ GOVal *v = go_val_new_empty ();
+ memcpy (p, &v, sizeof (v));
+ break;
+ }
case GO_DATA_CACHE_FIELD_TYPE_INDEXED_I8 : *((guint8 *)p) = idx+1; break;
case GO_DATA_CACHE_FIELD_TYPE_INDEXED_I16 : *((guint16 *)p) = idx+1; break;
case GO_DATA_CACHE_FIELD_TYPE_INDEXED_I32 : *((guint32 *)p) = idx+1; break;
@@ -556,10 +562,10 @@ go_data_cache_dump (GODataCache *cache,
p = go_data_cache_records_index (cache, i) + base->offset;
index_val = TRUE;
switch (base->ref_type) {
- case GO_DATA_CACHE_FIELD_TYPE_NONE :
+ case GO_DATA_CACHE_FIELD_TYPE_NONE:
continue;
- case GO_DATA_CACHE_FIELD_TYPE_INLINE :
- v = *((GOVal **)p);
+ case GO_DATA_CACHE_FIELD_TYPE_INLINE:
+ memcpy (&v, p, sizeof (v));
index_val = FALSE;
break;
case GO_DATA_CACHE_FIELD_TYPE_INDEXED_I8 : idx = *(guint8 *)p; break;
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
